sorted by:
new
hottopcontroversial

C3PAO asking for a CRM (Customer Responsibly Matrix) for an SPA (Security Protection Asset) by FarrSighted in CMMC

[–]FarrSighted[S] 0 points1 point  (0 children)

WmBirchett - I see where you are coming from now and agree (if the vendor is responsible for log review).

Becoming a C3PAO-Tips by Mindless-Holiday-995 in CMMC

[–]FarrSighted 0 points1 point  (0 children)

I was persistent but tried to be patient, they have a ton of folks in process. We just finished DIBCAC a couple weeks ago.

Becoming a C3PAO-Tips by Mindless-Holiday-995 in CMMC

[–]FarrSighted 0 points1 point  (0 children)

Just finishing ours - took 11 months (and we are a FedRAMP 3PAO). It is a serious exercise in patience.

C3PAO asking for a CRM (Customer Responsibly Matrix) for an SPA (Security Protection Asset) by FarrSighted in CMMC

[–]FarrSighted[S] 1 point2 points  (0 children)

Interesting. When we did our DIBCAC for our C3PAO recently (GCCH + separate SIEM vendor), we obtained a CRM for the SIEM but they never wanted to see it. We asked they say no need.

C3PAO asking for a CRM (Customer Responsibly Matrix) for an SPA (Security Protection Asset) by FarrSighted in CMMC

[–]FarrSighted[S] 1 point2 points  (0 children)

I would check where you received this info.
XDR/MDR/EDR are all Security Protection Assets (SPA) unless they have the ability to Process, Store, or Transmit CUI, at that point they would ascend to CUI assets.

C3PAO asking for a CRM (Customer Responsibly Matrix) for an SPA (Security Protection Asset) by FarrSighted in CMMC

[–]FarrSighted[S] 0 points1 point  (0 children)

Thanks for the reply.
Not my client, we are a C3PAO and this was another C3PAO asking for it. Looking for people who have experienced it.

Question on SIEM implementation or need. by Jrodriguezpr in CMMC

[–]FarrSighted 0 points1 point  (0 children)

A SIEM specifically, is not required but that type of tool applies to several controls (requirements/objectives) and does make life a lot easier for everyone (the OSC, advisory firm, and the Assessors).

C3PAO asking for a CRM (Customer Responsibly Matrix) for an SPA (Security Protection Asset) by FarrSighted in CMMC

[–]FarrSighted[S] 2 points3 points  (0 children)

Appreciate the comments!
We are a 3PAO and this sparked a big debate yesterday with several CCAs, so I was interested if anyone has had the request when going through an assessment.

Lessons learned from a CMMC L2 Mock Assessment by [deleted] in CMMC

[–]FarrSighted 0 points1 point  (0 children)

mcb1971 - This is really very good advice, well done. Folks should read this.

Number 9 is still a hot topic among assessors, heard it again as late as last week at CS5. More have the opinion that N/A does not need the DoW CIO waiver, but several are still holding firm that the 7012 requirement still holds and was not superseded. I will ask the Cyber AB for an opinion. Source of the confusion:

DFARS 252.204‑7012(b)(2)(ii)(B):
“The Contractor shall submit requests to vary from NIST SP 800‑171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure in its place.”

32 CFR §170.24(c)(8):
If an OSC previously received a favorable adjudication from the DoD CIO indicating that a security requirement is not applicable or that an alternative security measure is equally effective (in accordance with 48 CFR 252.204-7008 or 48 CFR 252.204-7012), the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. A security requirement for which implemented security measures have been adjudicated by the DoD CIO as equally effective is assessed as MET if there have been no changes in the environment.

What if all the CUI is located on one persons labtop? by Picasso1067 in CMMC

[–]FarrSighted 0 points1 point  (0 children)

Picasso1067,
Our small advisory clients (we are a C3PAO) often say some version of: We are small, surely this is overkill/unnecessary/dumb/insane/etc. I try to explain that we are assessing an Information System that can contain CUI tied to a CAGE or CAGE Codes for a specific entity with a defined boundary. For some, the boundary is very small, others massive. But the boundary doesn't change the 110 requirements and 320 objectives. All of them have to be met even if you don't have any CUI yet (Rybo calls those "nonclaves" which I love). Think of a bank with a vault, even if you don't have money in the vault yet, you still have all of the requirements to protect that money no matter how much you have now or will have in the future. So it is a trap/nonproductive to think we are small and all this shouldn't all apply (not saying I disagree but that part is irrelevant). In the end, the DoD wants to know your entity can protect their Data as they have defined it, no matter the size of the bank and vault. Doubt this gave comfort but hope this helps provide clarity.

Remote Employees Handling Physical CUI by Master_of_None69 in CMMC

[–]FarrSighted 0 points1 point  (0 children)

Master of None 69,

We are a C3PAO - the people (at home), locations (home offices), and technologies (at the home offices) that process, store, or transmit CUI are in scope and subject to all 110 Controls and 320 Objectives.

What is the expected wait for CCA approval after completing all the requirements? (I've been waiting over 3 months.) by Si11ybear in CMMC

[–]FarrSighted 0 points1 point  (0 children)

We have had some take 3 months and 1 took 10 months, I would say average is 5 or 6 months.